企业移动性 + 安全性可提供哪些帮助？How can Enterprise Mobility + Security help you?

企业移动性 + 安全性 (EMS) 是一个不仅从设备自身本机保护公司数据，还采用身份、设备、应用和数据这四个保护层提供更多保护的综合云解决方案。Enterprise Mobility + Security (EMS) is the only comprehensive cloud solution that natively protects corporate data on the device itself and beyond with four layers of protection across identities, devices, apps, and data.EMS 可帮助解决移动优先、云优先世界中的一个重大难题 - 提供适用于行业中任何基于 Web 的应用的单一标识：EMS helps you solve one of the key challenges in the mobile-first, cloud-first world – provide a single identity that works across any web-based apps in the industry:

建议的解决方案Recommended solution

Azure AD 是云标识和访问管理解决方案，它可与传统工具上的现有投资协作，使组织能够以安全高效的方式随处访问所需的任何内容。Azure AD is a cloud identity and access management solution that can provide organizations with access to everything they need from everywhere – in a secure and productive way – in collaboration with existing investments on traditional tools.

访问单一登录应用程序Access to single sign-on applications

在单一登录之前，IT 管理员必须管理组织拥有的所有不同应用程序的用户和密码，以支持：Before single sign-on, IT admins had to manage different users and passwords for all different applications that organizations had to support:

用户在使用的每个应用中输入用户名和密码Users enter a username and password into each app they use

单一登录使用户只需使用单个用户帐户登录一次，就能访问进行业务所需的全部应用程序和资源。Single sign-on lets users access all the applications and resources they need to do business by signing in only once using a single user account.登录之后，用户可以访问全部所需的应用程序，而无需再次进行身份验证（例如键入密码）。Once signed in, users can access all the applications they need without being required to authenticate (e.g. type a password) a second time.

Microsoft Azure AD 单一登录：此选项使用联合登录，允许用户使用 Azure AD 的用户帐户信息自动登录到第三方应用程序，例如 Salesforce。Microsoft Azure AD Single Sign-on: This option uses federated sign on to let users automatically sign in to the third-party applications, such as Salesforce, using the user account information from Azure AD.

密码单一登录：此选项使用户能够使用第三方用户帐户信息通过 Azure AD 自动登录到第三方 SaaS 应用程序。Password Single Sign-On: This option enables users to be automatically signed in to the third-party SaaS application by Azure AD using the third-party user account information.

应用不支持联合单一登录怎么办？What if an app doesn’t support federated single sign-on?

对于不支持 SAML/OpenID 而仅支持在 Web 窗体中输入用户名和密码的应用来说，基于密码的 SSO 是最佳解决方案。Password-Based SSO is the best solution for apps that don’t support SAML/OpenID and only support entering usernames and passwords in a web form.

启用将在 Azure AD 中定义并存储的特定于应用程序的凭据集Enables application-specific sets of credentials to be defined and stored in Azure AD

可向用户或组分配凭据以实现共享访问Credentials can be assigned to users or groups for shared access

用户帐户设置User account provisioning

用户帐户设置是指在应用程序的本地用户配置文件存储中创建、更新和/或禁用用户帐户记录的操作。User account provisioning is the act of creating, updating, and/or disabling user account records in an application’s local user profile store.大多数 SaaS 应用在其自己的本地用户配置文件存储中存储用户的角色和权限。Most SaaS apps store the user’s role and permissions in their own local user profile store.

Azure AD 配置服务连接到按应用提供的 soap/rest 用户管理 API，可以添加、更新和禁用用户帐户。Azure AD provisioning service connects to a soap/rest user management API provided on a per app basis, which adds, updates, and disables user accounts.它支持组同步，还可将配置文件/角色从应用导入到 Azure AD。It supports group syncing, and profiles/roles can also be imported from the app into Azure AD.

最终用户体验The end-user experience

应用程序访问面板是跨设备和跨浏览器的门户，可通过 iOS、Android、Mac 和 Windows 进行访问。The Applications Access Panel is a cross-device and cross-browser portal, accessible using iOS, Android, Mac, and Windows.若要访问“访问面板”，用户可向 Azure AD 进行身份验证，然后会看到自己具有访问权限的应用程序列表，只需在其中单击一下便可启动相应的应用。To reach the Access Panel, users authenticate against Azure AD once, then see the list of Applications they have access to, and can launch the app with just a click from there.如果管理员已针对 SSO 配置应用程序，用户无需重新进行身份验证便可访问该应用程序：单一登录将自动处理身份验证。If the application was configured for SSO by the administrator, the users don’t need to re-authenticate to access the application: single sign-on will take care of the authentication automatically.

可引入自己的应用Bring your own apps

Azure AD 应用程序库包含成千上万款可添加到组织的应用，但如果找不到第三方应用程序，仍可将该应用添加为自定义应用，以供组织使用。Azure AD application gallery features thousands of applications that you can add to your organization, but if you cannot find a third-party application, you can add still add it as a custom app for your organization to use.

用户可以载入任何基于 Web 并具有基于用户名和密码的身份验证机制的应用程序，无需考虑其是否在 Azure 应用程序库中列出。You can onboard just about any web-based application that has a user name and password based authentication mechanism, whether they are listed in the Azure application gallery or not.

然后最终用户便可以访问本地应用程序（与访问 O365 和其他与 Azure AD 集成的 SaaS 应用程序的方式相同），而无需使用 VPN 或更改网络基础结构。End users can then access your on-premises applications the same way they access O365 and other SaaS apps integrated with Azure AD, without the need for a VPN or for changing the network infrastructure.

实现本解决方案的方式How to implement this solution

以下步骤介绍之前讨论的实现每个 Azure AD 功能的方法。The following steps describe how to implement each Azure AD capability previously discussed.每个链接表示一组不同的文章，其中包含要在组织中实现的一组不同的说明/步骤：Each link represents a different set of articles with a different set of instructions/steps to be implemented in your organization: